This detection rule identifies the execution of suspicious PowerShell cmdlets from the DSInternals PowerShell module, which is frequently used for administrative operations within Active Directory (AD) and Azure Active Directory (AAD). Given its capabilities, such as dumping DPAPI backup keys and manipulating NTDS.DIT files, the usage of this module can raise security alarms. The rule is designed to flag various cmdlets associated with sensitive operations, including commands for auditing password policies, manipulating backup keys, and altering account credentials. It operates by monitoring command line inputs for specific strings that align with the commands utilized by the DSInternals module, hence providing a means to detect potentially unauthorized or malicious activities that could compromise AD or AAD integrity.